1. Field of the Invention
This invention relates generally to a data processor, and, more particularly, to a method and apparatus for ensuring secure operation of the data processor.
2. Description of the Related Art
General purpose computing systems, such as personal computers have evolved from singletask devices to multitask devices. Systems that multitask require security and protection services to protect their operating system from user processes, and to protect the processes from each other. Without protections, a rogue program, for example, could unintentionally destroy the program code or data in the memory space belonging to the operating system or to another process.
Generally, in x86 microprocessor environments, security features have been implemented to provide varying privilege levels. Different types of software run at these varying privilege levels, and thus, have varying access to the resources of the computing system. For example, the operating system runs at the highest privilege level (Ring 0), which means that the operating system generally has free reign to access virtually any of the system resources.
The most recent version of Microsoft""s Windows(copyright) operating system, Windows 2000(copyright), now has over one million lines of code contained in its kernel and associated kernel-mode drivers. Thus, more than one million lines of code have generally free access to the system resources. There is a significant likelihood that some security defects or other bugs exist within this massive program.
The present invention is directed to overcoming, or at least reducing the effects of, one or more of the problems set forth above.
In one aspect of the present invention, a method is provided for storing security attributes. The method comprises assigning security attributes to each of a plurality of portions of memory of a computer system; storing the security attributes in a multi-level lookup table; and storing at least a subset of the security attributes in a cache.
In another aspect of the present invention, a method is provided for providing security in a computer system. The method comprises storing security attributes to a plurality of portions of memory of a computer system in a multi-level lookup table, and storing at least a subset of the security attributes in a cache. Thereafter a request to access a portion of memory is received, and a determination is made as to whether the security attributes associated with the requested portion of memory are stored in the cache. The stored security attributes are retrieved from the cache in response to detecting that the security attributes are stored therein. The stored security attributes are retrieved from the multi-level lookup table in response to detecting the absence of the stored security attributes in the cache. Thereafter, access to the requested portion of memory is permitted in response to the retrieved security attributes.
In still another aspect of the present invention, an apparatus is provided for providing security in a computer system. The apparatus comprises an address generator, a cache, and a multi-level lookup table. The address generator is adapted for producing an address associated with a memory location in the computer system. A cache is adapted for receiving at least a portion of the address and delivering security attributes stored therein associated with the address. A multi-level lookup table is adapted for receiving at least a portion of the address and delivering security attributes stored therein associated with the address in response to the absence of the security attributes being located in the cache.